Encryption is a useful measure you can apply to protect your data, especially when other data protection methods are not feasible, such as high-security storage options or de-identification of the data. The following provides a basic description of a few encryption methods and how they should be applied.
Full Disk Encryption
Full disk encryption (FDE) encrypts the hard drive of your computer; this is important because if your computer is lost or stolen the hard drive can be removed and the information on it accessed if it hasn’t been encrypted, even if your computer is password-protected. Anyone working with research data on a laptop should ensure that FDE is active.
Windows users: Windows OS generally uses Bitlocker for FDE. Bitlocker is installed on all VU green and orange work stations: if these VU computers are using Windows 10, then Bitlocker is already active. If a green or orange work station uses Windows 7, you need to activate Bitlocker. If you have a VU red work station, ensure that you install and activate Bitlocker. If you have to activate Bitlocker yourself make sure to enable the recovery option. Once Bitlocker is activated, it will de-encrypt the hard drive everytime you login to your computer and re-encrypt it when you lock your computer. Additional security options can be added on top of your password, if desired. Contact the IT Service Desk for additional support if the information provided here is insufficient for your purposes.
Mac users: MacBooks come with FileVault installed as FDE software. Simply go to System Preferences > Security & Privacy to turn on FileVault. Make sure to keep the recovery key somewhere safe. Whenever you login to your MacBook it will de-encrypt the hard drive and the hard drive will be re-encrypted when you lock your MacBook.
Additional information on these FDE options can be found on VUnet.
Filesystem-level Encryption
Filesystem-level encryption (FLE) encrypts individuals files or the entire folders those files are in. There are many different types of FLE software and unfortunately, VU IT does not provide support for these encryption tools. Many are free and fairly easy to use, however. Unfortunately, if you work on a green or orange workstation you will need to get help from the IT Service Desk (servicedesk.it@vu.nl) to install most of these encryption tools. Also, if the encrypted files and folders need to accessed on more than one computer, than every computer needs to have the software installed to be able to de-encrypt the files/folders.
- Cryptomator: Cryptomator is a fairly easy encryption tool to use; you create “vaults” within which the files and folders that you want to protect are stored. It’s your best option if you want to encrypt an entire folder that is stored on SURF Drive or Research Drive because it’s built to work well with cloud-based storage.
- Note that Cryptomator only works if you sync your encrypted files to the desktop application for SURF Drive or Research Drive.
- If you are using Cryptomator with the SURF Drive or Research Drive desktop application, sometimes the changes you make to files or folders in your vault don’t appear to sync with your Drive. If that happens, just restart the SURF Drive or Research Drive desktop application.
- If you share an encrypted vault with a user who does not have access to the desktop application, it is not immediately apparent how to de-encrypt the vault. The other user will need to have Cryptomator installed. They will need to download the encrypted file, which appears as a .tar-file; they should store this .tar-file in an appropriate location on their computer and unzip it. They can then go to the Cryptomator app and select “Open an existing vault” by pressing the + sign. This will open a dialogue box that allows them to select the unzipped .tar-file; they will see a file called “masterkey.cryptomator”, which they should select. This will add the vault to their Cryptomator app and they can then open it with the password you’ve provided (via other means such as an SMS).
- VeraCrypt: VeraCrypt is a bit more complex than Cryptomator to use, but it’s also a good encryption tool if you need to encrypt several files simultanously in one folder. This page provides extensive instructions on how to set up a basic “container” within which you will store all of the files and folders that need to be encrypted. It doesn’t work quite as well with cloud-based storage, (i.e. SURF drive and Research Drive), so it should only be used on your local computer or on portable media that doesn’t have built-in encryption capabilities.
- AES Crypt: AES Crypt can be used on Windows, MacOS and Linux systems; you can either install the easy to use graphical user interface (GUI) or if you are familiar with the command line you can install the console version. AES Crypt allows you to easily encrypt individual files by simply right-clicking on the file and choosing a password.
- AES Crypt will create a new copy of your file in an encrypted form, and everytime you de-encrypt that file, it will create an un-encrypted copy. If you are only opening the file to view it’s contents, make sure to delete the unencrypted copy after use. If you update the unencrypted file, make sure to encrypt this updated version and overwrite the old encrypted file.
- MacOS users don’t automatically have the right-click option and the use of the GUI-app isn’t immediately clear. You can either install the “Extension to Enable Right-Clicking” so then when you right-click on a file, you see an option to crypt or de-encrypt or you just drag the file you want to encrypt to the icon for the app. The app itself does not open.
- 7Zip Encryption: 7Zip encryption only runs on Windows; it may already be installed on your Windows workstation. You can technically access it from a MacOS or Linux workstation via Citrix in the Windows 7 green workspace, but this should only be done if none of the above options are feasible for you.
- As with AES Crypt, 7ZIP will create a new copy of your file in an encrypted form, and everytime you de-encrypt that file, it will create an un-encrypted copy. If you are only opening the file to view it’s contents, make sure to delete the unencrypted copy after use. If you update the unencrypted file, make sure to encrypt this updated version and overwrite the old encrypted file.
Passwords
Set strong passwords when encrypting your media. For further information see these tips on strong passwords in the Security Basics.
Long-term encryption
Encryption standards change over time because as computers become more powerful it becomes easier to break older encryption methods. If encrypted files will be stored for long periods of time, it is important to re-assess regularly whether the encryption used still meets current standards. If data will be encrypted and stored for more than 5 years, it is necessary to nominate an individual who will monitor whether the encryption must be updated; updates are necessary whenever an encryption standard has been cracked or shown to be vulnerable. The IT Service Desk can help with this assessment.